Score: 1.1 (>= 0.8) Infected Target: 192.168.1.132 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/13/2013 08:06:50.735 PST Gen. Time: 01/13/2013 08:06:51.031 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 130.29.190.23 (08:06:50.735 PST) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:30:48:30:03:AF 0->0 (08:06:50.735 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 130.73.83.134 (08:06:51.031 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:30:48:30:03:AF 0->0 (08:06:51.031 PST) tcpslice 1358093210.735 1358093210.736 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.132' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.132 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/13/2013 14:09:39.672 PST Gen. Time: 01/13/2013 14:09:39.843 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 130.90.204.16 (14:09:39.672 PST) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:30:48:30:03:AF 0->0 (14:09:39.672 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 130.65.195.175 (14:09:39.843 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:30:48:30:03:AF 0->0 (14:09:39.843 PST) tcpslice 1358114979.672 1358114979.673 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.132' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.132 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/13/2013 15:44:51.595 PST Gen. Time: 01/13/2013 15:44:51.717 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 130.226.42.129 (15:44:51.595 PST) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:30:48:30:03:AF 0->0 (15:44:51.595 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 130.226.42.129 (15:44:51.717 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:30:48:30:03:AF 0->0 (15:44:51.717 PST) tcpslice 1358120691.595 1358120691.596 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.132' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.132 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/13/2013 18:29:53.537 PST Gen. Time: 01/13/2013 18:29:53.646 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 130.128.212.61 (18:29:53.537 PST) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:30:48:30:03:AF 0->0 (18:29:53.537 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 130.155.128.79 (18:29:53.646 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:30:48:30:03:AF 0->0 (18:29:53.646 PST) tcpslice 1358130593.537 1358130593.538 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.132' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.132 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/13/2013 18:29:53.537 PST Gen. Time: 01/13/2013 18:34:04.709 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 130.128.212.61 (18:29:53.537 PST) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:30:48:30:03:AF 0->0 (18:29:53.537 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 130.155.128.79 (18:29:53.646 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:30:48:30:03:AF 0->0 (18:29:53.646 PST) 106.78.18.8 (18:32:13.219 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 26 IPs (26 /24s) (# pkts S/M/O/I=0/25/3/0): 445:25, [] MAC_Src: 00:30:48:30:03:AF 0->0 (18:32:13.219 PST) tcpslice 1358130593.537 1358130593.538 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.132' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.132 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/13/2013 19:45:00.746 PST Gen. Time: 01/13/2013 19:45:00.919 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 115.119.251.5 (19:45:00.746 PST) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 11 IPs (11 /24s) (# pkts S/M/O/I=0/10/1/0): 135:10, [] MAC_Src: 00:30:48:30:03:AF 0->0 (19:45:00.746 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 115.119.251.5 (19:45:00.919 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/20/1/0): 135:20, [] MAC_Src: 00:30:48:30:03:AF 0->0 (19:45:00.919 PST) tcpslice 1358135100.746 1358135100.747 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.132' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.132 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/13/2013 21:05:24.507 PST Gen. Time: 01/13/2013 21:05:24.681 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 130.164.112.159 (21:05:24.507 PST) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 135:10, [] MAC_Src: 00:30:48:30:03:AF 0->0 (21:05:24.507 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 109.229.44.248 (21:05:24.681 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/20/1/0): 135:20, [] MAC_Src: 00:30:48:30:03:AF 0->0 (21:05:24.681 PST) tcpslice 1358139924.507 1358139924.508 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.132' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.132 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/13/2013 21:12:05.157 PST Gen. Time: 01/13/2013 21:12:05.157 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 109.229.44.248 (21:12:05.157 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 26 IPs (26 /24s) (# pkts S/M/O/I=0/25/2/0): 135:25, [] MAC_Src: 00:30:48:30:03:AF 0->0 (21:12:05.157 PST) tcpslice 1358140325.157 1358140325.158 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.132' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.132 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/13/2013 23:50:50.051 PST Gen. Time: 01/13/2013 23:50:50.163 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 130.251.136.226 (23:50:50.051 PST) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:30:48:30:03:AF 0->0 (23:50:50.051 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 130.251.136.226 (23:50:50.163 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:30:48:30:03:AF 0->0 (23:50:50.163 PST) tcpslice 1358149850.051 1358149850.052 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.132' ============================== SEPARATOR ================================